February 20, 2024

Intune FAQ

This page is updated as common questions arise, this page was last updated on 29/11/2024.

What can the University see on my device?

We have a full list of what data the University can and cannot see on your device relative to each protection level.

My device won’t allow me to use Microsoft applications after initial set up of In-App Protection – what can I do?

If you are unable to fully set up In-App Protection on your device, it may be that your device is not compliant.

This may be due to having an outdated firmware or operating system (OS) version installed on your device. In this scenario, you will need to check to see if your device can be updated to a supported OS version. Click here for a full list of currently supported OS Versions.

Your device’s OS will need to be kept up-to-date in order for you to continue using the device to access University resources and services. If your device is not on a supported version it will notify you, and after 14 days the device will no longer be able to connect to University services.

If you cannot install an up-to-date OS, you will not be able to set up your device, and cannot use it to access University resources and services. Please contact the Digital Technologies Service Desk for further guidance.

The reason we must use compliant devices is to do with the requirements of Cyber Essentials. This scheme requires devices to be kept up to date and within certain compliance thresholds. One of the key areas which will fail the compliance check is the operating system version for iOS and Android.

There could be many other reasons, but the Company Portal app or the application protection policy will show you the reason the device is non-compliant.

I’ve been asked to set up a PIN when opening Microsoft Applications on my device – is this the same as my device PIN?

When opening a Microsoft Application, you will be required to set a 6-digit PIN. This is not the same PIN as you may already have on your device, and it is highly recommended that you set a different 6-digit PIN for your Microsoft Applications for extra security.

How do I deregister my device(s)?

Deregistering In-App Protection

To deregister In-App Protection on your devices you will need to remove your work account in all Microsoft apps you have installed (Outlook, Teams, OneDrive etc.). This will vary between apps and platforms, but the process will be similar.

Using Outlook as an example, you will first need to open the relevant app (Outlook), then tap your profile picture and select the settings cog that appears. Tap on your University/work email under “Email Accounts”, then scroll to the bottom and select “Remove Account”. Please note that if you have OneDrive set up, you will also need to scroll to “Storage Accounts” and repeat this process.

To fully deregister, you will need to do this in each Microsoft application installed on your device.

Deregistering Full Device Protection

To deregister from full device protection, you will need to open the Company Portal app, then select your device. Tap the three dots, then select “Remove Device”. This will remove the associated work partition/profile and any University data saved on the device.

I have In-App Protection set up on my device(s). How do I access other browser-based services?

If you wish to access any browser-based University services from your device with in-app protection, such as the Staff Directory etc., you will need to use Edge as your browser. This is because Edge is managed by Microsoft and is therefore compliant.

If you have the Company Portal App installed and Full-Device Protection set up on your device, you should be able to access these services with no issues.

Why do I have to install Authenticator/Company Portal App for In-App Protection?

When installed on an Apple device, the Microsoft Authenticator App works in the same way as the Microsoft Company Portal app (as well as providing you all the benefits of a faster MFA process when configured). It checks your device is compliant and allows you to use In-App Protection, rather than having to set up Full Device Protection.

Android users need to download the Microsoft Company Portal app to allow this same level of compliance check. You do not need to open/sign into the app or configure it for this to work, simply have it installed on your device.

For Full Device Protection on Apple or Android, you will need to install the Microsoft Company Portal app and configure it.

I don’t want to use my personal device for work-related activity – can I still use the Microsoft Authenticator App for MFA with University machines or services?

Yes. The Microsoft Authenticator App can still be used for Multi-Factor Authentication, even if your device is not registered with Intune.

Which apps are covered by Intune?

Depending on your type of device and your the level of Intune protection you have set up, a different offering of apps are in scope. This includes Teams and Outlook, but for a full list please visit Supported Microsoft Intune apps | Microsoft Learn which is updated by Microsoft as new apps are added.

How do I install apps which access University data when using In-App Protection?

If you have your device set up for the In-App Protection option, just install apps from the App Store or Play Store as normal.

Please Note: You may be unable to copy and paste data from these apps, or take screenshots. You may also have issues opening links from these apps unless you install the Microsoft Edge app.

How do I install apps which access University data when using Full Device Protection?

If you have your device set up for the Full Device Protection option, you will need to install apps differently depending on your device:

When using an Apple device on Full Device Protection, apps which access University data will need to be installed from within the Intune Company Portal app.

When using an Android device on Full Device Protection, apps which access University data will need to be installed from the managed Play Store within your work partition. Your work partition may display as a separate tab, or as a briefcase icon on your home screen.

Can the University wipe/reset my device if I install Intune?

If you choose to install Full Device Protection on an Apple device, this will allow the University access to remotely wipe or reset your device in extreme circumstances – e.g. should your device be lost or stolen – to protect University data. This would only be done in the most extreme circumstances, such as if your device was lost or stolen; this would only be done at the user’s request with a governance process in place to ensure the appropriate application of policy.

If you choose to install Full Device Protection on an Android device, this will allow the University access to remotely wipe University data from your device in extreme circumstances – e.g. should your device be lost or stolen – to protect University data. This would only be done in the most extreme circumstances, such as if your device was lost or stolen; this would only be done at the user’s request with a governance process in place to ensure the appropriate application of policy.

However, if you do not require Full Device Protection, you should instead use the “Option 1 – In-App Protection”. Using Option 1 provides protection only for specific applications such as the Teams, Outlook and OneDrive apps, meaning the University will not be able to wipe/reset your device.

If the FAQs above haven’t answered your question or helped resolve your issue, please contact the DS Service Desk on 01522 886500 or email dt@lincoln.ac.uk.

What can the University see on my device?

To access University resources from your device(s), you will need to register with Intune. Depending on the University resources you wish to access from your device, you will need to set up different levels of permissions.

In-App Protection allows you access to core Microsoft applications on your device – such as the Teams, Outlook and OneDrive apps.

Full Device Protection will cover your whole device so you can access other University services securely as well as the usual Microsoft applications – such as the Teams, Outlook and OneDrive apps.

Scroll down for more information on what the University can and cannot see on your device for each option.

What the University can and cannot see on your device if you use In-App Protection

What the University can see on your device with App Protection

If a device is registered with App Protection only, the University will be able to see the following information:

Device owner
Device name
Device platform
Device model, such as Google Pixel
Device manufacturer, such as Microsoft
Operating system and version, such as iOS 12.0.1

The University cannot see any personal information on the device, and we have no access to wipe the device. Only the University data that is stored within the protected app can be removed via the protection policy.

What the University cannot see on your device with App Protection

The University will never see:

Calling and web browsing history
Email and text messages
Contacts
Calendar
Passwords
Pictures, including what’s in the Photos app or camera roll
Files

On corporate-owned Android devices with a work profile:

Apps and data in your personal profile
Phone number

What the University can and cannot see on your device if you use Full Device Protection and Intune

What the University can see on your device with Full Protection and Intune installed

If you have chosen to register your personal device using the Full Device Protection through the Company Portal application, the University will be able to see the following information:

Device owner
Device name
Device serial number
Device model, such as Google Pixel
Device manufacturer, such as Microsoft
Operating system and version, such as iOS 12.0.1
Device IMEI
App inventory and app names, such as Microsoft Word
- On personal devices, your organisation can only see your managed app inventory, which includes work and school apps
- On corporate-owned devices, your organisation can see all apps installed on the device
- On corporate-owned devices with a work profile, which is limited to Android devices, your organisation can only see the apps installed in your work profile

In addition to the data the University can see, registering your device will also allow the University to have limited management of the device and to perform certain actions, including:

Remotely reset or wipe a lost or stolen device
Provide remote assistance

What the University cannot see on your device with Full Device Protection and Intune installed

The University will never see:

Calling and web browsing history
Email and text messages
Contacts
Calendar
Passwords
Pictures, including those in the photos app or camera roll
Files

On corporate-owned Android devices with a work profile:

Apps and data in your personal profile
Phone number

Full comparison of features

Feature	App Protection	Full Device Protection
Scope	Specific Apps	Entire device
Device Enrolment	Not required	Required
Data Protection	Protects corporate data within apps	Comprehensive security measures
Access Control	Policies like PIN or fingerprint	Device-wide security policies
Flexibility	Managed & unmanaged devices	More suitable for corporate-owned devices
Management	Application (app data wipeable)	Device (device data wipeable)

Full list of supported Operating Systems

Operating System	Supported Version
Apple iOS	16.7.10 17.7.2 18.2
Mac OS	13.7.1 14.7.1 15.1.1
Android OS	12.0 – with Security update after 01/06/2024 13.0 – with Security update after 01/06/2024 14.0 – with Security update after 01/06/2024 15.0 – with Security update after 01/06/2024
Windows	10.0.19045.5198 (Windows 10) 10.0.22631.4541 (Windows 11)

Written by: Alex Dunn

Last updated on: December 18, 2024